So our goal is to get this function called. Locally I created a flag.txt and then started hacking on the assembly. The address for the flag function is 0x0000000000400676. Knowing that this is a 64-bit assembly is important to make sure we put the full address into the payload.

Looking at the main assembly, I see that s is allocated 0x400 or 1024 bytes. So I created a text file using a python script and decided to try and completely smash the stack: